Bump pytest-testinfra from 8.1.0 to 10.0.0 (#54)

Bumps [pytest-testinfra](https://github.com/pytest-dev/pytest-testinfra) from 8.1.0 to 10.0.0. - [Release notes](https://github.com/pytest-dev/pytest-testinfra/releases) - [Changelog](https://github.com/pytest-dev/pytest-testinfra/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest-testinfra@8.1.0...10.0.0) --- updated-dependencies: - dependency-name: pytest-testinfra dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Revert "Bump pytest-testinfra from 8.1.0 to 10.0.0 (#54)" (#60) This reverts commit 72997ef. Create SECURITY.md (#62) delete docker snyk (#63) Bump urllib3 from 1.26.18 to 2.1.0 (#58) Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.18 to 2.1.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@1.26.18...2.1.0) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Bump markupsafe from 2.1.1 to 2.1.3 (#57) Bumps [markupsafe](https://github.com/pallets/markupsafe) from 2.1.1 to 2.1.3. - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst) - [Commits](pallets/markupsafe@2.1.1...2.1.3) --- updated-dependencies: - dependency-name: markupsafe dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Bump loguru from 0.6.0 to 0.7.2 (#55) Bumps [loguru](https://github.com/Delgan/loguru) from 0.6.0 to 0.7.2. - [Release notes](https://github.com/Delgan/loguru/releases) - [Changelog](https://github.com/Delgan/loguru/blob/master/CHANGELOG.rst) - [Commits](Delgan/loguru@0.6.0...0.7.2) --- updated-dependencies: - dependency-name: loguru dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Bump psutil from 5.8.0 to 5.9.7 (#56) Bumps [psutil](https://github.com/giampaolo/psutil) from 5.8.0 to 5.9.7. - [Changelog](https://github.com/giampaolo/psutil/blob/master/HISTORY.rst) - [Commits](giampaolo/psutil@release-5.8.0...release-5.9.7) --- updated-dependencies: - dependency-name: psutil dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jürgen <[email protected]> fix jinja2 templating with autoescape (#64) push to github based on github tag (#65) Update docker-hub-image.yml (#66) push to github based on github tag push to github based on github tag (#67) Add docker push based ongit tag (#68) * push to github based on github tag * push to github based on github tag Add docker push based ongit tag (#69) * push to github based on github tag * fix actions Add docker push based ongit tag (#70) * push to github based on github tag * push to github based on github tag * fix actions * fix actions fix actions (#71) Add docker push based ongit tag2 (#72) * fix actions * fix actions change actions for new docker push flow (#75) * change actions for new docker push flow * update python version to 3.9 Bump psutil from 5.8.0 to 5.9.7 (#73) Bumps [psutil](https://github.com/giampaolo/psutil) from 5.8.0 to 5.9.7. - [Changelog](https://github.com/giampaolo/psutil/blob/master/HISTORY.rst) - [Commits](giampaolo/psutil@release-5.8.0...release-5.9.7) --- updated-dependencies: - dependency-name: psutil dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Migration to tags (#76) * change actions for new docker push flow * update python version to 3.9 * change actions for new docker push flow Bump pytest-testinfra from 8.1.0 to 10.0.0 (#74) Bumps [pytest-testinfra](https://github.com/pytest-dev/pytest-testinfra) from 8.1.0 to 10.0.0. - [Release notes](https://github.com/pytest-dev/pytest-testinfra/releases) - [Changelog](https://github.com/pytest-dev/pytest-testinfra/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest-testinfra@8.1.0...10.0.0) --- updated-dependencies: - dependency-name: pytest-testinfra dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Migration to tags (#77) * change actions for new docker push flow * update python version to 3.9 * change actions for new docker push flow * added build arg for tag fix variable for build (#78) Checks all branches (#79) * run security check for all branches Update docker-hub-image-main.yml (#81) Update github actions (#82) * Update docker-hub-image-main.yml * Update docker-hub-image-tag.yml changes for agent version and docker tag (#85) fix ambiguous redirect (#86) clean history
pyToshka · Jan 9, 2024 · e0362d7 · e0362d7
1 parent 27864b7
commit e0362d7
Show file tree

Hide file tree

Showing 9 changed files with 136 additions and 52 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -13,10 +13,11 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main" ]
+    branches:
+      - '**'
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ "main" ]
+    branches:
+       - '**'
   schedule:
     - cron: '45 10 * * 5'
 

diff --git a/.github/workflows/docker-hub-image.yml → .github/workflows/docker-hub-image-main.yml b/.github/workflows/docker-hub-image.yml → .github/workflows/docker-hub-image-main.yml
@@ -1,17 +1,10 @@
-name: Build and push docker images
+name: Build and push docker images for main branch
 
 # Controls when the workflow will run
 on:
-  workflow_run:
-    workflows: ["CodeQL"]
-    branches: [main]
-    types:
-      - completed
   push:
     branches:
       - 'main'
-    tags:
-      - 'v*.*.*'
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
@@ -32,6 +25,12 @@ jobs:
             image: kennyopennix/wazuh-agent-amazonlinux
           - dockerfile: ./images/Dockerfie.ubuntu
             image: kennyopennix/wazuh-agent-ubuntu
+          - dockerfile: ./Dockerfile
+            image: opennix/wazuh-agent
+          - dockerfile: ./images/Dockerfie.amazonlinux
+            image: opennix/wazuh-agent-amazonlinux
+          - dockerfile: ./images/Dockerfie.ubuntu
+            image: opennix/wazuh-agent-ubuntu
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -47,6 +46,7 @@ jobs:
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
       - name: Extract metadata (tags, labels) for Docker
         if: github.event_name != 'pull_request'
+        continue-on-error: true
         id: meta
         uses: docker/metadata-action@v5
         with:
@@ -56,9 +56,9 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
-            type=sha
       - name: Build and push
         uses: docker/build-push-action@v5
+        continue-on-error: true
         with:
           context: .
           file: ${{ matrix.dockerfile }}

diff --git a/.github/workflows/docker-hub-image-tag.yml b/.github/workflows/docker-hub-image-tag.yml
@@ -0,0 +1,76 @@
+name: Build and push docker images for git tag
+
+# Controls when the workflow will run
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+permissions:
+  contents: read
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - dockerfile: ./Dockerfile
+            image: kennyopennix/wazuh-agent
+          - dockerfile: ./images/Dockerfie.amazonlinux
+            image: kennyopennix/wazuh-agent-amazonlinux
+          - dockerfile: ./images/Dockerfie.ubuntu
+            image: kennyopennix/wazuh-agent-ubuntu
+          - dockerfile: ./Dockerfile
+            image: opennix/wazuh-agent
+          - dockerfile: ./images/Dockerfie.amazonlinux
+            image: opennix/wazuh-agent-amazonlinux
+          - dockerfile: ./images/Dockerfie.ubuntu
+            image: opennix/wazuh-agent-ubuntu
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Set Agent version
+        shell: bash
+        run: echo "AGENT_VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed 's/v//g')" >> $GITHUB_ENV
+
+      - name: Set Docker tag
+        shell: bash
+        run: echo "TAG_NAME=$(echo ${GITHUB_REF#refs/heads/} | sed 's/v//g'|sed 's/-1//g')" >> $GITHUB_ENV
+
+      - name: Docker tag and agent version
+        run: |
+          echo "All envs ${{ env }}"
+          echo "New docker image tag ${{ env.TAG_NAME }}"
+          echo "Wazuh agent version ${{ env.AGENT_VERSION }}"
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        continue-on-error: true
+        with:
+          context: .
+          file: ${{ matrix.dockerfile }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ matrix.image }}:${{ env.TAG_NAME }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+              AGENT_VERSION=${{ env.AGENT_VERSION }}
diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
@@ -2,10 +2,11 @@ name: Snyk Security
 
 on:
   push:
-    branches: ["main" ]
+    branches:
+      - '**'
   pull_request:
-    branches: ["main"]
-
+    branches:
+      - '**'
 permissions:
   contents: read
 
@@ -18,14 +19,6 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
-      matrix:
-        include:
-          - dockerfile: ./Dockerfile
-            image: kennyopennix/wazuh-agent
-          - dockerfile: ./images/Dockerfie.amazonlinux
-            image: kennyopennix/wazuh-agent-amazonlinux
-          - dockerfile: ./images/Dockerfie.ubuntu
-            image: kennyopennix/wazuh-agent-ubuntu
     steps:
       - uses: actions/checkout@v3
       - name: Set up Snyk CLI to check for security issues
@@ -39,17 +32,8 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
-      - name: Build a Docker image
-        continue-on-error: true
-        run: docker build -t ${{ matrix.image }}  -f ${{ matrix.dockerfile }} .
-
-      - name: Snyk Container monitor
-        continue-on-error: true
-        run: snyk container monitor ${{ matrix.image }} --file=${{ matrix.dockerfile }}
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v2
+        continue-on-error: true
         with:
           sarif_file: snyk-code.sarif
diff --git a/.github/workflows/tests-wazuh-docker.yml b/.github/workflows/tests-wazuh-docker.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches:
       - 'main'
+      - 'release-*'
+    tags:
+      - 'v*.*.*'
 
 permissions:
   contents: read
@@ -23,10 +26,10 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    - name: Set up Python 3.8
+    - name: Set up Python 3.9
       uses: actions/setup-python@v3
       with:
-        python-version: "3.8"
+        python-version: "3.9"
         cache: 'pip'
     - name: Install dependencies
       run: |
@@ -54,10 +57,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
-    - name: Set up Python 3.8
+    - name: Set up Python 3.9
       uses: actions/setup-python@v3
       with:
-        python-version: "3.8"
+        python-version: "3.9"
         cache: 'pip'
     - name: Install dependencies
       run: |
@@ -73,11 +76,6 @@ jobs:
       with:
         name: wazuh-unittests
         path: ${{ github.workspace }}/test-results/
-    - name: Docker pull.
-      run: |
-        docker pull wazuh/wazuh-manager:4.7.0
-        docker pull wazuh/wazuh-indexer:4.7.0
-        docker pull wazuh/wazuh-dashboard:4.7.0
     - name: Create single node certificates
       run: docker-compose -f tests/single-node/generate-indexer-certs.yml run --rm generator
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,25 @@
+## Security
+
+OpenNix takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.** Instead, please report them to the OpenNix at [[email protected]](mailto:[email protected]).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Preferred Languages
+
+We prefer all communications to be in English or Russian.
diff --git a/register_agent.py b/register_agent.py
@@ -64,7 +64,7 @@ def http_codes_serializer(response, status_code):
 def create_config_file():
     logger.info(f"Create Wazuh agent configuration for node {node_name}")
     with open("ossec.jinja2") as file_:
-        template = Template(file_.read())
+        template = Template(file_.read(), autoescape=True)
         config = template.render(
             join_manager_hostname=join_manager_worker,
             join_manager_port=join_manager_port,

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,11 +1,11 @@
 requests==2.31.0
 Jinja2==3.1.2
-urllib3==1.26.18
+urllib3==2.1.0
 py-healthcheck==1.10.1
-psutil==5.8.0
-loguru==0.6.0
-markupsafe==2.1.1
+psutil==5.9.7
+loguru==0.7.2
+markupsafe==2.1.3
 pytest==7.4.4
-pytest-testinfra==8.1.0
+pytest-testinfra==10.0.0
 black==23.12.1
 argparse==1.4.0
diff --git a/requirements.txt b/requirements.txt
@@ -1,7 +1,7 @@
 requests==2.31.0
 Jinja2==3.1.2
-urllib3==1.26.18
+urllib3==2.1.0
 py-healthcheck==1.10.1
-psutil==5.8.0
-loguru==0.6.0
-markupsafe==2.1.1
+psutil==5.9.7
+loguru==0.7.2
+markupsafe==2.1.3